How to Secure a DHCP Server in Windows?

As we all know, DHCP Servers are used to assign IP Addresses and other configuration information to client computers running almost any sort of operating system, ranging from regular desktop computers, through laptop computers, up to thin clients and mobile devices. All these require a DHCP server in order to get their TCP/IP configuration settings (unless you manually configure them). One of the major headaches around using DHCP servers was the fact that the moment a computer is connected to your network, it will ask for, and receive, an IP Address from any available DHCP. This will happen to both trusted and un-trusted computers, causing us, the administrators, a potential security risk.

DHCP Administrators would like to control access to their networks, by issuing IP addresses to known clients or denying the same to selected machines. This functionality may be added to the MS DHCP Server, by installing this package, thereby adding an additional lightweight layer of security on the network. This DHCP Server Callout DLL allows the administrator to filter incoming DHCP Requests to DHCP Server based on the MAC Address of the DHCP client. When a device or computer tries to connect to the network, it shall first try to obtain an IP address from the DHCP Server. DHCP Server Callout DLL checks if the MAC address of the machine is present in a known list of MAC addresses (, that has been configured by administrators). The client’s request to obtain an IP address or other configuration information (via DHCP), shall be forwarded or dropped based on the list configured by administrator.

You can download MAC address filtering from under given link;

[download id=”15″]

System Requirements

  • Server :  Windows 2003 Server (Enterprise or higher)/Windows 2008 Server (Enterprise or higher,  32 or 64 bit), running DHCP Server

Issues solved by using the DHCP Server Callout DLL

The DHCP Server Callout DLL will help the network administrators to  solve either of the following problems:

  • Allow only a specific set of known MAC addresses to obtain an IP Address from the DHCP server. This list can be easily compiled by using your server/client computer documentation, by using a good monitoring software such as SMS 2003, or by using WMI-based scripts.
  • Deny Machines belonging to set of MAC addresses from obtaining an IP Address from the DHCP server.

Unfortunately, DHCP Server Callout DLL can currently only perform one action. Either allow, or deny, specific MAC Addresses. It cannot do both.

The DHCP Server Callout DLL works on both Windows Server 2003 and Windows Server 2008 DHCP servers.

When installing, both the dll (MacFilterCallout.dll) and the Setup document (SetupDHCPMacFilter.rtf) are copied to the %SystemRoot%system32 folder.

On 64-bit operating systems, the location for installation is %SystemRoot%SysWOW64.


  1. Run the appropriate installer depending on your processor architecture,  (i.e., on a 32 bit Windows Server OS,  run <MacFilterCalloutInstaller-x86.msi>  or run <MacFilterCalloutInstaller-x64.msi> on 64 bit Server OS)
  2. Edit the file (eg. MACFilter.txt)
  3. Restart the DHCP server to see the results

Please share your comments about this post.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.